[Vol-users] Understanding 'sessions'

I RDP'ed into another VM, opened notepad, regedit and cmd in order to reenact the sessions plugin. I didn't get the expected output as was on the blog post ( http://volatility-labs.blogspot.com/2012/09/movp-11-logon-sessions-processe…) It shows up under the main RDP console ID. I'm guessing that this is because I'm using WinXP and it doesn't support multiple logins. Is this the reason? $ vol.py sessions -f ~/vmware/VD/VD.vmem --profile=WinXPSP2x86 Volatile Systems Volatility Framework 2.2_rc2 ************************************************** Session(V): f7b0f000 ID: 0 Processes: 27 PagedPoolStart: bb800000 PagedPoolEnd bbbfffff Process: 656 csrss.exe 2012-09-27 01:15:38 Process: 680 winlogon.exe 2012-09-27 01:15:38 Process: 724 services.exe 2012-09-27 01:15:38 Process: 736 lsass.exe 2012-09-27 01:15:38 Process: 888 vmacthlp.exe 2012-09-27 01:15:39 Process: 900 svchost.exe 2012-09-27 01:15:39 Process: 984 svchost.exe 2012-09-27 01:15:39 Process: 1076 svchost.exe 2012-09-27 01:15:39 Process: 1120 svchost.exe 2012-09-27 01:15:39 Process: 1196 svchost.exe 2012-09-27 01:15:40 Process: 1412 spoolsv.exe 2012-09-27 01:15:41 Process: 1544 svchost.exe 2012-09-27 01:15:50 Process: 1616 jqs.exe 2012-09-27 01:15:50 Process: 1652 PortReporter.ex 2012-09-27 01:15:50 Process: 1820 vmtoolsd.exe 2012-09-27 01:15:53 Process: 1880 VMUpgradeHelper 2012-09-27 01:15:53 Process: 508 alg.exe 2012-09-27 01:16:01 Process: 1512 explorer.exe 2012-09-27 18:39:34 Process: 1156 wscntfy.exe 2012-09-27 18:39:35 Process: 1472 VMwareTray.exe 2012-09-27 18:39:58 Process: 628 jusched.exe 2012-09-27 18:39:59 Process: 1312 cmd.exe 2012-09-27 18:51:10 Process: 2040 jucheck.exe 2012-09-27 18:51:17 Process: 252 wuauclt.exe 2012-09-29 17:28:35 Process: 824 rdpclip.exe 2012-09-29 17:28:43 Process: 388 notepad.exe 2012-10-04 22:24:31 Process: 268 regedit.exe 2012-10-04 22:24:34 Image: 0x829596a0, Address bf800000, Name: win32k.sys Image: 0x82abc2d8, Address bf000000, Name: dxg.sys Image: 0x829d66e0, Address bffa0000, Name: ATMFD.DLL Image: 0x82955e20, Address bff60000, Name: RDPDD.dll Image: 0xbeff009c, Address c07bd878, Name: ************************************************** Session(V): f7b6f000 ID: 3 Processes: 2 PagedPoolStart: bb800000 PagedPoolEnd bbbfffff Process: 1032 csrss.exe 2012-09-29 17:28:42 Process: 2004 winlogon.exe 2012-09-29 17:28:42 Image: 0x82b83788, Address bf800000, Name: win32k.sys Image: 0x8299eb70, Address bf000000, Name: dxg.sys Image: 0x82b9de80, Address bf012000, Name: vmx_fb.dll Image: 0x82a084c8, Address bffa0000, Name: ATMFD.DLL Image: 0xbeff009c, Address c07bdb78, Name: ************************************************** Session(V): f7b43000 ID: 1 Processes: 0 PagedPoolStart: bb800000 PagedPoolEnd bbbfffff